Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Monitor only access to ASDM (ASA) for user authenticated via LDAP

     

     

    Introduction

    We can configure ASA to provide monitor only or read only access, to it's ASDM for a user who authenticates using LDAP.

    Configuration

    1.       We need to configure a AAA server on the ASA, in the following configuration I have configured and LDAP as AAA server:

    aaa-server LDAP protocol ldap
    
    aaa-server LDAP (inside) host 192.168.26.55
    
    ldap-base-dn DC=MCS55, DC=COM
    
    ldap-scope subtree
    
    ldap-naming-attribute sAMAccountName
    
    ldap-login-password *****
    
    ldap-login-dn CN=ashish AV. varghese,CN=Users,DC=MCS55,DC=com
    
    server-type microsoft
    
    ldap-attribute-map LDAPreadonly
    
    ciscoasa#

    2.       Configure an LDAP attribute map, in the following configuration I have granted privilege 6 to the group and privilege 5 to the user:

    ciscoasa# sh run ldap attribute-map LDAPreadonly
    
    map-name memberOf IETF-Radius-Service-Type
    
    map-value memberOf "CN=Account Operators,CN=Builtin,DC=MCS55,DC=com" 6
    
    map-name sAMAccountName Privilege-Level
    
    map-value sAMAccountName "ashishv" 5
    
    ciscoasa#

    3.       Configure AAA on ASA

    ciscoasa# sh run aaa
    
    aaa authentication telnet console LOCAL
    
    aaa authentication ssh console LOCAL
    
    aaa authentication http console LDAP LOCAL
    
    aaa authorization command LOCAL
    
    aaa authorization exec authentication-server
    
    ciscoasa#

    ASA is now ready to grant read only access to the user called "ashishv"

    4.       On authenticating to ASDM we will get this message, which indicates we have monitor only access.

    1.jpg

    5.       View of the ASDM once you have access:

    2.jpg

    Debugs

    6.       This is how "debug ldap 255” will look like for a successful user authentication:

    ciscoasa#
    
    [45] Session Start
    
    [45] New request Session, context 0xda1861b4, reqType = Authentication
    
    [45] Fiber started
    
    [45] Creating LDAP context with uri=ldap://192.168.26.55:389
    
    [45] Connect to LDAP server: ldap://192.168.26.55:389, status = Successful
    
    [45] supportedLDAPVersion: value = 3
    
    [45] supportedLDAPVersion: value = 2
    
    [45] Binding as ashish AV. varghese
    
    [45] Performing Simple authentication for ashish AV. varghese to 192.168.26.55
    
    [45] LDAP Search:
    
           Base DN = [DC=MCS55, DC=COM]
    
           Filter = [sAMAccountName=ashishv]
    
           Scope   = [SUBTREE]
    
    [45] User DN = [CN=ashish AV. varghese,CN=Users,DC=MCS55,DC=com]
    
    [45] Talking to Active Directory server 192.168.26.55
    
    [45] Reading password policy for ashishv, dn:CN=ashish AV. varghese,CN=Users,DC=MCS55,DC=com
    
    [45] Read bad password count 0
    
    [45] Binding as ashishv
    
    [45] Performing Simple authentication for ashishv to 192.168.26.55
    
    [45] Processing LDAP response for user ashishv
    
    [45] Message (ashishv):
    
    [45] Authentication successful for ashishv to 192.168.26.55
    
    [45] Retrieved User Attributes:
    
    [45]   objectClass: value = top
    
    [45]   objectClass: value = person
    
    [45]   objectClass: value = organizationalPerson
    
    [45]   objectClass: value = user
    
    [45]   cn: value = ashish AV. varghese
    
    [45]   sn: value = varghese
    
    [45]   givenName: value = ashish
    
    [45]   initials: value = AV
    
    [45]   distinguishedName: value = CN=ashish AV. varghese,CN=Users,DC=MCS55,DC=com
    
    [45]   instanceType: value = 4
    
    [45]   whenCreated: value = 20121224152326.0Z
    
    [45]   whenChanged: value = 20130119142646.0Z
    
    [45]   displayName: value = ashishvarghese
    
    [45]   uSNCreated: value = 186542
    
    [45]   memberOf: value = CN=Account Operators,CN=Builtin,DC=MCS55,DC=com
    
    [45]           mapped to IETF-Radius-Service-Type: value = 6
    
    [45]   uSNChanged: value = 190878
    
    [45]   name: value = ashish AV. varghese
    
    [45]   objectGUID: value = ...+...M.`/.....
    
    [45]    userAccountControl: value = 66048
    
    [45]   badPwdCount: value = 0
    
    [45]   codePage: value = 0
    
    [45]   countryCode: value = 0
    
    [45]   badPasswordTime: value = 130030933379843750
    
    [45]   lastLogoff: value = 0
    
    [45]   lastLogon: value = 130030933572968750
    
    [45]   pwdLastSet: value = 130030792063437500
    
    [45]   primaryGroupID: value = 512
    
    [45]   objectSid: value = ............4E'y...&R.Egt...
    
    [45]   adminCount: value = 1
    
    [45]   accountExpires: value = 9223372036854775807
    
    [45]   logonCount: value = 0
    
    [45]   sAMAccountName: value = ashishv
    
    [45]           mapped to Privilege-Level: value = 5
    
    [45]   sAMAccountType: value = 805306368
    
    [45]   userPrincipalName: value = ashishv@MCS55.com
    
    [45]   objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=MCS55,DC=com
    
    [45]   lastLogonTimestamp: value = 130027602762031250
    
    [45] Fiber exit Tx=561 bytes Rx=2534 bytes, status=1
    
    [45] Session End

    Please feel free to comment in case of any query.

    Comments
    Community Member

    Thanks for this, it really helped me out, but I did find that your solution didn't scale well, and also did not allow any user not explicitly stated into the firewall.

    I have written up how I solved this, and hope that others might find it useful:

    http://www.802101.com/2013/09/separating-monitor-only-and-admin.html

    Community Member

    Stuart,

    thanks for sharing this.

    This is a very creative way of making this scalable.

    Regards,

    Ashish

    Community Member

    Great guide!

    For read-only access to a Group of Users, I tried the commands below:

    map-name memberOf Privilege-Level
    map-value memberOf "CN=Account Operators,CN=Builtin,DC=MCS55,DC=com" 5

    instead of

    map-name memberOf IETF-Radius-Service-Type
    map-value memberOf "CN=Account Operators,CN=Builtin,DC=MCS55,DC=com" 6
    map-name sAMAccountName Privilege-Level
    map-value sAMAccountName "ashishv" 5

    which worked really well for me

    3574
    Views
    10
    Helpful
    3
    Comments